87df040698da9b5d064813ae7ac55167d3314a4a87f1edab6a37a26703fcdbae

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Size

90KB
MD5

ce959c8f6828a2b67619d5f4fc219c00
SHA1

acef6c8d084aeb9309e6917b51b9be56aa33f7cd
SHA256

87df040698da9b5d064813ae7ac55167d3314a4a87f1edab6a37a26703fcdbae
SHA512

f51cc54a5ed86bbc25c1b67a768f745748a6bf1cba5b314c852d33e86fcf92ea4b37a7b03879b0e1f52775bb413651f118f5545a39ce853e5c4c736cbd40fe8d
SSDEEP

768:50w981IshKQLroL4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oLlVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}\stubpath = "C:\\Windows\\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe"	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4E201A-B147-4be1-BA8A-B6714E888469}	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4E201A-B147-4be1-BA8A-B6714E888469}\stubpath = "C:\\Windows\\{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe"	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45E914B3-53BF-4e4f-8009-13E40383A3A7}	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}\stubpath = "C:\\Windows\\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe"	{EC8F213A-F142-4a33-9470-28494484622D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{369BEFE9-517C-422e-8CE0-F14F78B2398C}	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}\stubpath = "C:\\Windows\\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}.exe"	{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}\stubpath = "C:\\Windows\\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe"	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45E914B3-53BF-4e4f-8009-13E40383A3A7}\stubpath = "C:\\Windows\\{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe"	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{592C24E9-20F7-475b-B226-D39DB40BD825}	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}\stubpath = "C:\\Windows\\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe"	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{369BEFE9-517C-422e-8CE0-F14F78B2398C}\stubpath = "C:\\Windows\\{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe"	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DFD860E-2093-454c-BF86-95794D0939E4}	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DFD860E-2093-454c-BF86-95794D0939E4}\stubpath = "C:\\Windows\\{8DFD860E-2093-454c-BF86-95794D0939E4}.exe"	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8F213A-F142-4a33-9470-28494484622D}	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}\stubpath = "C:\\Windows\\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe"	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{592C24E9-20F7-475b-B226-D39DB40BD825}\stubpath = "C:\\Windows\\{592C24E9-20F7-475b-B226-D39DB40BD825}.exe"	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8F213A-F142-4a33-9470-28494484622D}\stubpath = "C:\\Windows\\{EC8F213A-F142-4a33-9470-28494484622D}.exe"	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}	{EC8F213A-F142-4a33-9470-28494484622D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}	{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe
1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe
3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
648	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
2352	{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe
4556	{C4379587-1CD1-4034-B4A3-E0758BD6F21A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
File created	C:\Windows\{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
File created	C:\Windows\{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
File created	C:\Windows\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
File created	C:\Windows\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}.exe	{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe
File created	C:\Windows\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	{EC8F213A-F142-4a33-9470-28494484622D}.exe
File created	C:\Windows\{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
File created	C:\Windows\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
File created	C:\Windows\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
File created	C:\Windows\{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
File created	C:\Windows\{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
File created	C:\Windows\{EC8F213A-F142-4a33-9470-28494484622D}.exe	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
Token: SeIncBasePriorityPrivilege	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
Token: SeIncBasePriorityPrivilege	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
Token: SeIncBasePriorityPrivilege	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
Token: SeIncBasePriorityPrivilege	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
Token: SeIncBasePriorityPrivilege	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
Token: SeIncBasePriorityPrivilege	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe
Token: SeIncBasePriorityPrivilege	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe
Token: SeIncBasePriorityPrivilege	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
Token: SeIncBasePriorityPrivilege	648	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
Token: SeIncBasePriorityPrivilege	2352	{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2912	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	95
PID 1116 wrote to memory of 2912	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	95
PID 1116 wrote to memory of 2912	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	95
PID 1116 wrote to memory of 224	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	96
PID 1116 wrote to memory of 224	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	96
PID 1116 wrote to memory of 224	1116	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	96
PID 2912 wrote to memory of 3524	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	97
PID 2912 wrote to memory of 3524	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	97
PID 2912 wrote to memory of 3524	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	97
PID 2912 wrote to memory of 1168	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	98
PID 2912 wrote to memory of 1168	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	98
PID 2912 wrote to memory of 1168	2912	{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe	98
PID 3524 wrote to memory of 648	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	101
PID 3524 wrote to memory of 648	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	101
PID 3524 wrote to memory of 648	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	101
PID 3524 wrote to memory of 3568	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	102
PID 3524 wrote to memory of 3568	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	102
PID 3524 wrote to memory of 3568	3524	{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe	102
PID 648 wrote to memory of 2468	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	103
PID 648 wrote to memory of 2468	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	103
PID 648 wrote to memory of 2468	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	103
PID 648 wrote to memory of 1628	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	104
PID 648 wrote to memory of 1628	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	104
PID 648 wrote to memory of 1628	648	{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe	104
PID 2468 wrote to memory of 4340	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	105
PID 2468 wrote to memory of 4340	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	105
PID 2468 wrote to memory of 4340	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	105
PID 2468 wrote to memory of 2064	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	106
PID 2468 wrote to memory of 2064	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	106
PID 2468 wrote to memory of 2064	2468	{8DFD860E-2093-454c-BF86-95794D0939E4}.exe	106
PID 4340 wrote to memory of 3424	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	108
PID 4340 wrote to memory of 3424	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	108
PID 4340 wrote to memory of 3424	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	108
PID 4340 wrote to memory of 4408	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	109
PID 4340 wrote to memory of 4408	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	109
PID 4340 wrote to memory of 4408	4340	{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe	109
PID 3424 wrote to memory of 2028	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	110
PID 3424 wrote to memory of 2028	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	110
PID 3424 wrote to memory of 2028	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	110
PID 3424 wrote to memory of 2512	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	111
PID 3424 wrote to memory of 2512	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	111
PID 3424 wrote to memory of 2512	3424	{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe	111
PID 2028 wrote to memory of 1160	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	115
PID 2028 wrote to memory of 1160	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	115
PID 2028 wrote to memory of 1160	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	115
PID 2028 wrote to memory of 1920	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	116
PID 2028 wrote to memory of 1920	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	116
PID 2028 wrote to memory of 1920	2028	{592C24E9-20F7-475b-B226-D39DB40BD825}.exe	116
PID 1160 wrote to memory of 3204	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe	120
PID 1160 wrote to memory of 3204	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe	120
PID 1160 wrote to memory of 3204	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe	120
PID 1160 wrote to memory of 3500	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe	121
PID 1160 wrote to memory of 3500	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe	121
PID 1160 wrote to memory of 3500	1160	{EC8F213A-F142-4a33-9470-28494484622D}.exe	121
PID 3204 wrote to memory of 648	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	122
PID 3204 wrote to memory of 648	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	122
PID 3204 wrote to memory of 648	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	122
PID 3204 wrote to memory of 464	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	123
PID 3204 wrote to memory of 464	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	123
PID 3204 wrote to memory of 464	3204	{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe	123
PID 648 wrote to memory of 2352	648	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe	124
PID 648 wrote to memory of 2352	648	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe	124
PID 648 wrote to memory of 2352	648	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe	124
PID 648 wrote to memory of 3320	648	{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe	125

C:\Users\Admin\AppData\Local\Temp\ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
  C:\Windows\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
    C:\Windows\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
      C:\Windows\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
        
        C:\Windows\{8DFD860E-2093-454c-BF86-95794D0939E4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
        
        C:\Windows\{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
        
        C:\Windows\{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{592C24E9-20F7-475b-B226-D39DB40BD825}.exe
        
        C:\Windows\{592C24E9-20F7-475b-B226-D39DB40BD825}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{EC8F213A-F142-4a33-9470-28494484622D}.exe
        
        C:\Windows\{EC8F213A-F142-4a33-9470-28494484622D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
        
        C:\Windows\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
        
        C:\Windows\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe
        
        C:\Windows\{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}.exe
        
        C:\Windows\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{369BE~1.EXE > nul
        13⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EE25~1.EXE > nul
        12⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE07~1.EXE > nul
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC8F2~1.EXE > nul
        10⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{592C2~1.EXE > nul
        9⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45E91~1.EXE > nul
        8⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E4E2~1.EXE > nul
        7⤵
        
        PID:4408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DFD8~1.EXE > nul
        6⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A9FB~1.EXE > nul
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BFD66~1.EXE > nul
      4⤵
      PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16F84~1.EXE > nul
    3⤵
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CE959C~1.EXE > nul
  2⤵
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16F84879-E3B2-4f54-B9A0-F927B74FDA70}.exe

Filesize
90KB

MD5
1cb3afeb49fe1d274526b66fc4864ef0

SHA1
08a6c6e00c8aad5b60289911234ab03cb6821b1f

SHA256
1ceab8f2934b1c0194e159cbf5eb4fa765310bd2ee854565568f9db3fbbc7671

SHA512
43edde1135895ce71da7604df3bb934323533b57c220f376a79efa33ffde4029cd1e1c8a1d9c330affc50bfe1980173627779a1bc7632805902843341c2fbec1

Download Submit
C:\Windows\{2E4E201A-B147-4be1-BA8A-B6714E888469}.exe

Filesize
90KB

MD5
202f942878096e765b1768c7d65de448

SHA1
b7e4e5fa665ea03f3972b347fc9672dc1b65f747

SHA256
cc2af224ff78120943c6ae87f4ed9694112308b05da28b5440f2c278b379f18a

SHA512
a1c8f3d0e0ebd99232388738187e7f2a7aaaa5582a60b7c9edfd943558a110abfa2cb7c9c52b5b456c8932ff2a8341aac9a5b44f1f009ab133e6dde6d7bd5ef5

Download Submit
C:\Windows\{369BEFE9-517C-422e-8CE0-F14F78B2398C}.exe

Filesize
90KB

MD5
d35cc165ecf861cdf7f088bc1d6be699

SHA1
e8bab81958f8f4e50eb15f9f52723ce2254fb350

SHA256
25316bdba905c109c122f3f03100daba452b1a70e86b150b61e6038316846ee7

SHA512
950f4c5bbbd9cea916159deec13134285a03ba01f99d6a92739ad6011a5978e53fabbc921ce6abe782fd62de52e09212b7724dadc6f88e2c5d3c6daca74c51b1

Download Submit
C:\Windows\{3A9FB438-78C5-48c7-8139-C9C8DE0DA415}.exe

Filesize
90KB

MD5
70dca3057e7d98232e1e7b419126828d

SHA1
38084add9763bd3426a097b4302ec2dbd0004cd2

SHA256
4004cc30979d932b0e46fa7b9f28652db186c19554d4012c5838f887e351cc5d

SHA512
9364681a84ea54373d78fec7190166cad5a12ef4c998f07d6996373203666ba579fe4ce7c0bd910a91b2d45e71c18000001bb396de7fc76eb487688e1aeb786f

Download Submit
C:\Windows\{45E914B3-53BF-4e4f-8009-13E40383A3A7}.exe

Filesize
90KB

MD5
78629200f6c0e0cddbb865f12f7dc4fb

SHA1
d5a98140ced83b139bba6a48ac6acb6da24bd90e

SHA256
4971497a92b9ebdb14d4295f0840500a92420ea92dca6b85002fec566af245c8

SHA512
da4a53851fdaf23976b85e4b1db5f6f7ab07ce6b49797d97020edaba60b88b0a7531bbc0e967455a2643437ff1041251aca1959692c642c4d706c184fe9b2b8f

Download Submit
C:\Windows\{592C24E9-20F7-475b-B226-D39DB40BD825}.exe

Filesize
90KB

MD5
965fb89874f3cec56a718f8bd1cc550a

SHA1
a0ed77e35760326cfa565e1f023cbe782fbc6b22

SHA256
17a9ab3b1286f92f852a159515a595a6bf3aa931683d08ec49c1fee746cd5cb9

SHA512
5834528552c72dc939aabf0781253d1536872aea7ab95d671091d0bde6767acbe5a1664372312bd47a925904d06a1342dd766bf965b5710ca13a54bcd435c578

Download Submit
C:\Windows\{7AE07C45-CC7F-41a9-B8BF-17E9A498D590}.exe

Filesize
90KB

MD5
c2ba5d242f18c7d0fceb99f72804ca45

SHA1
9d192e864f5063b6e7104cfa977cad8f2a0c63b5

SHA256
44d59f8cf360a1cdc154d87d1d3731dc33761efc1c4b0ed8db3d40ba14b09047

SHA512
358b9bf0076e47d947328e6b44ad000150d6467de009b025f2b32e0e6e89d63c581c75ccfb8803d7ef68736d36db9f4dce6817b8d628281c5d72fc8337ef1c3f

Download Submit
C:\Windows\{8DFD860E-2093-454c-BF86-95794D0939E4}.exe

Filesize
90KB

MD5
d57bffbe9cc6316b970f56491d848d11

SHA1
43a28764bf4dc1ec3442f46ef29151e80c339f25

SHA256
f2e797245d92077b0d6b6d15e564a3c466897e2d748d765dd0b9a3b3efd725e8

SHA512
b4befa8982cb22a4bb8a1f94e4dd055d48229c80ef3afab93e98a80a9ae7ad3fc08cd5a5bd8559fa43c815de513a909b5b996a3a14002438c07d688ba2c4d8a0

Download Submit
C:\Windows\{8EE25966-F6D7-4e72-B5E0-65AD854A69EA}.exe

Filesize
90KB

MD5
aeab494e98ae1b4cefabe8c69eef044b

SHA1
4b8d81b0a208362a4f46c25fbd3340b432a1f693

SHA256
e0eaf5cdaa71bf448ee3c0f36867ac0414aa8212dd0df148e86facee28b6e477

SHA512
c72f18935b4a4b51bd322dd5f2389b0c59e63c71377f68a901bd4cbc7e6dbd1616a65dca4cdaf2554aa4f763320f2b676059c0f9a2c6585003ab2c91e98f00ad

Download Submit
C:\Windows\{BFD66B77-E3B1-479c-984F-B30AEBBB7D48}.exe

Filesize
90KB

MD5
49fa977f48d86663cf8f037791167bdf

SHA1
ff5d7e4c3d1cc121ad302029aee167869d5f1879

SHA256
98568f55776ace0ca7bbc835c7af8fe2f7cb4013d172cc5bef5c6fe63d042782

SHA512
d104703de0ed0ad3f873dcc1f2e9a01ee5628a07bc5ee00196ffd251fa6d2a8390037034617544a28b834f54a11238d47480e950b10ebcf37dbcb1e6fb5d06fb

Download Submit
C:\Windows\{C4379587-1CD1-4034-B4A3-E0758BD6F21A}.exe

Filesize
90KB

MD5
31f27996dc1b9a71fc0914772ac3d3fc

SHA1
b2ad81a16bfafb3b68cd0d6a4a6a84cb26f54c73

SHA256
b4b03f3768ebceac82d74e7fb352a95663ff7d1f177619e153985eda72d120fe

SHA512
a2a1829b5d242efd9dfcf7a6f85af5c188aa22d1f88a885421e25296ed0e9b58d3a164cf43cc0120e459fb49b7e2d25c5b56d29de40d2a2766392b26921ab913

Download Submit
C:\Windows\{EC8F213A-F142-4a33-9470-28494484622D}.exe

Filesize
90KB

MD5
f1dae6ce5e57dc92788f1fd33c6d36cb

SHA1
f16c89930a0a9724b65376bda1cf6694f13a6358

SHA256
4d7580516b3caf6d0d9d77d6bc99ce937bc93e13640abb8164bb931e3a1874a4

SHA512
510c3e51c071beaefe129450851801b1f696862f1b292a95ccc493ff50e4a2e2874af4f2a290cf938f667364171bbb52188b164447585658a9e3c71409711213

Download Submit
memory/648-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/648-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/648-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/648-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1116-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1116-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1160-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1160-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2352-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2352-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2468-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2468-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3204-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3204-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3424-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3424-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3524-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3524-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4340-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4340-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads